direct enable mode acess with the Help of ACS

Unanswered Question
Jul 8th, 2009

Dear All, I am trying to setup a group which has priv 15 access & they should see enable mode after authentication via ACS, they should not be asked for enable password. How ca I do this, I am unable to do so. I tried it but its not working. What I need is ACS should assign priv level 15 to configured users. I dont want to use Shell commands set.

Same thing I need for ASA firewall as well..

Is there any way to achive this.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jagdeep Gambhir Wed, 07/08/2009 - 10:16

For IOS devices,

Router(config)# username [username] password [password]

tacacs-server host [ip]

tacacs-server key [key]

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

On ACS

Bring users/groups in at level 15

1. Go to user or group setup in ACS

2. Drop down to "TACACS+ Settings"

3. Place a check in "Shell (Exec)"

4. Place a check in "Privilege level" and enter "15" in the adjacent field

This feature is not supported on ASA/firewalls.

Regards,

~JG

Do rate helpful posts

jain.nitin Wed, 07/08/2009 - 10:30

I tried this but it didnt work for me see my config below on deivces

aaa new-model

aaa group server tacacs+ bwaaa

server 10.2.6.1

server 10.2.6.2

ip tacacs source-interface Vlan1111

!

aaa authentication login aaa-list group bwaaa local

aaa authentication enable default group bwaaa enable

aaa authorization exec aaa-list group bwaaa local

aaa accounting exec aaa-list start-stop group bwaaa

aaa accounting commands 1 aaa-list start-stop group bwaaa

aaa accounting commands 15 aaa-list start-stop group bwaaa

aaa accounting system default start-stop group bwaaa

Jagdeep Gambhir Wed, 07/08/2009 - 12:03

First try with simple vanilla config

tacacs-server key [key]

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

If still issue is there get the debugs then

debug aaa authentication

debug aaa authorization

debug tacacs

Regards,

~JG

jain.nitin Thu, 07/09/2009 - 11:15

Hi, Thanks it worlked with default list but it is not working with my defined list..I dont know whats the reason behind that..do you have any idea

Actions

This Discussion